During the recent investigation into the October 2025 Louvre Museum heist, it was revealed that parts of the museum’s video surveillance network were protected by the default password “Louvre.” Further reporting indicated that sections of the system operated on Windows Server 2003 and relied on outdated surveillance management software. These findings point to long-term neglect of basic cybersecurity practices – specifically, the continued use of obsolete systems and weak authentication measures.

Such oversights significantly increase exposure to unauthorized access and data compromise. In many cases, large-scale breaches have started from simple oversights: unpatched systems, missing two-factor authentication, or weak passwords. This article reviews major incidents caused by these failures and outlines practical steps to avoid becoming the next Louvre.

Outdated or unpatched software

At the beginning of 2024, Deutsche Bahn, Germany’s national railway carrier, searched for an administrator to support Windows 3.11 systems. Many companies are still using systems and software outdated decades ago. Such outdated software may contain unpatched vulnerabilities, including third-party libraries and components with known vulnerabilities patched in later builds. This, of course, leads to problems.

For example, the Equifax breach in 2017 was enabled by a known, patchable vulnerability in the Apache Struts framework (CVE-2017-5638). Attackers exploited the unpatched web component to run arbitrary commands on Equifax systems and steal personal data for roughly 143 million U.S. consumers; a patch had been long available before the intrusion but never installed. (nvd.nist.gov)

WannaCry (May 2017) is an example of how unpatched operating systems can propagate damage at scale. The worm used the EternalBlue SMB exploit against Windows systems that had not applied Microsoft’s security updates, encrypting files and disrupting hospitals, manufacturers and service providers worldwide. The incident illustrates how a single, unpatched OS vulnerability can become a global outage. (cloudflare.com)

Back to Louvre: investigators reported parts of the museum’s surveillance estate running on Windows Server 2003, an OS that reached end-of-life over a decade ago and no longer receives security fixes. Running unsupported server software creates exactly the same exposure as the Equifax and WannaCry cases: known weaknesses cannot be patched, and attackers will look for them.

Takeaway: old software is not merely legacy tech — it is an unmonitored attack surface. Patch promptly, and replace platforms that no longer receive vendor security updates.

Missing two-factor authentication

We’ve been strong proponents for two-factor authentication, even if the tech gets in the way of our own work. Still, two-factor authentication is absolutely crucial for securing access, as is clearly demonstrated by the following cases.

The Colonial Pipeline ransomware incident (May 2021) demonstrates the impact of single-factor access control. The initial access vector involved a compromised VPN account; because multi-factor authentication was not enforced for that account, the attackers were able to use the credential to access critical systems and deploy ransomware, causing a multi-day fuel distribution disruption. (CISA)

In the 2020 Twitter takeover, attackers used social engineering and targeted internal tools to post cryptocurrency scams from high-profile accounts; several high-privilege steps were possible because some internal access paths lacked adequate second-factor protections and administrative controls. “For several hours, the world watched while the Hackers carried out a public cyberattack, by seizing one high-profile account after another and tweeting out a “double your bitcoin” scam”, according to the New York State Department of Financial Services report. Post-incident reviews revealed that stronger authentication and tighter admin account controls would have limited the scope of the breach if not prevented it altogether.

It’s a sad reality: many remote access systems, VPNs, cloud admin consoles and SaaS management panels still allow or default to password-only logins. Where multi-factor authentication is optional rather than mandatory, a stolen or phished password remains sufficient to gain entry.

Takeaway: enforce MFA for all administrative and remote access accounts; treat MFA as mandatory for any service that can affect data, finances, operations or safety.

Weak or default passwords

Weak or default passwords remain one of the most persistent and preventable cybersecurity failures. Though they occasionally simplify the job of forensic password recovery, on a global scale, default credentials lead to catastrophic breaches every year, most of which never make it to the press.

For example, the Mirai botnet (2016) exploited factory default and weak credentials on IoT devices (routers, DVRs, cameras). Automated scans logged into devices using credentials such as admin/admin or root/123456, recruited them into botnets, and then launched high-volume DDoS attacks against major targets. The breach, of course, was driven by unchanged vendor defaults. (research.google.com)

Back in 2019, we reported a vulnerability in Synology NAS devices: the encryption feature for file-shares used a single fixed, pre-programmed passphrase (wrapping passphrase) across all units rather than a unique strong key per device (as was originally claimed by the manufacturer). In practice, this meant that if an attacker obtained access to the device’s stored key file (for which just the disk/volume was enough), they could unwrap and decrypt encrypted volumes without cracking a user-set password. (Elcomsoft).

In 2021, attackers gained access to tens of thousands of security cameras via a cloud provider and exposed feeds from hospitals, prisons, offices and schools. The attack was reportedly unsophisticated, involving use of a “super admin” account to gain access to Verkada. The Verkada incident showed how exposed admin credentials and insufficiently restricted super-admin access to camera telemetry can produce widespread privacy and safety impacts. (Bloomberg)

The problem still persists: CCTV systems in India and other countries have been compromised using simple credentials such as admin123, and whole building-access or elevator controllers have been exposed by single default passwords. An IBM survey found that a large majority of router administrators have never changed the factory admin password, quantifying how widespread this basic failure is. (www.ndtv.com)

Takeaway: check each and every internet-connected device; change factory credentials and replace products that do not support secure authentication. Weak or default passwords are trivial for automated attackers to find, remaining one of the most common initial access vectors.

Legislation on default passwords in new devices

Governments are increasingly recognizing that weak or default passwords are not just a user issue but a design flaw. New laws now place responsibility on manufacturers to ensure that devices ship with secure authentication and cannot be accessed with shared, factory-set credentials.

California, USA California’s IoT Security Law (SB-327), effective since 2020, was the first in the world to set this precedent. It obliges device makers to either assign unique passwords per unit or require users to change credentials during setup. The measure targets exactly the type of default logins that powered botnets like Mirai.

European Union The EU’s Cyber Resilience Act (CRA), adopted in 2024, establishes baseline cybersecurity requirements for all network-connected products. It reinforces the principle that devices must not include universal default passwords and must allow users to set strong credentials on first use. This aligns with the earlier ETSI EN 303 645 IoT security standard, which explicitly bans shared or hard-coded passwords and became the practical baseline for consumer IoT compliance across Europe. Enforcement since mid-2024.

United Kingdom The Product Security and Telecommunications Infrastructure (PSTI) Act 2022, in force from April 2024, requires manufacturers to eliminate “easily guessable” default passwords such as admin or 12345. Devices must either generate unique credentials or prompt users to set a password before first use. The law also mandates transparency about update timelines and vulnerability reporting. Penalties can reach £10 million or 4% of global turnover.

Other regions Oregon introduced a similar framework soon after California. In Asia, countries such as Japan and Singapore have issued IoT security guidelines recommending unique passwords and secure-by-default design, though enforcement remains limited. China’s and India’s cybersecurity rules currently emphasize data protection more than device authentication, but regulatory attention is increasing.

Across jurisdictions, the direction is clear: unique or user-set credentials are becoming mandatory, while shared default passwords are being banned outright. Manufacturers, not end-users, are now accountable for baseline security. Slowly, major jurisdictions are pushing manufacturers from voluntary best practices to enforceable standards, attempting to close one of the oldest and most preventable gaps in digital security.

Conclusion

Outdated software and missing multi-factor authentication remain two of the most common causes of preventable breaches. Systems that no longer receive updates are unguarded, while single-factor logins make stolen credentials enough to gain access. The fix is simple: keep systems updated and enable a second verification step for any account that matters.

Weak or default passwords continue to undermine even well-designed systems. Every connected device, from routers to cameras, should be checked for unchanged factory credentials. Replace them with strong, unique passwords and store them in a password manager. It takes only minutes to remove one of the easiest ways for attackers to break in.

Cybersecurity isn’t about paranoia; it’s about hygiene. The Louvre’s default password might make headlines today, but behind every “Louvre” there’s a lesson: security lapses start small and end big. Start your essential security hygiene audit today: patch, enforce MFA, and eliminate default credentials. Don’t be a Louvre.

Addendum

We compiled a partial list of incidents involving weak passwords and outdated software.